ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeryAI video tool — face change

v1.0.0

Swap the face in an existing HTTPS video using a reference face image via WeryAI (video-face-change). Use when the user wants face replacement on a video URL...

0· 96·0 current·0 all-time
byparallel world@zoucdr

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zoucdr/video-tool-face-change.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "WeryAI video tool — face change" (zoucdr/video-tool-face-change) from ClawHub.
Skill page: https://clawhub.ai/zoucdr/video-tool-face-change
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: WERYAI_API_KEY
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install video-tool-face-change

ClawHub CLI

Package manager switcher

npx clawhub@latest install video-tool-face-change
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (video face-swap) match the required pieces: Node runtime, one API key (WERYAI_API_KEY), and a single script that targets a video-face-change endpoint. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md and the CLI script limit inputs to public https:// URLs and the script validates that. The README explicitly warns not to run other sibling scripts. The included JS enforces URL checks, uses only the declared env var, and does not read local files or perform arbitrary uploads in the visible portion.
Install Mechanism
No install spec is provided (instruction-only with a shipped script). That is lower risk; the only runtime requirement is Node.js 18+, which is reasonable for a JS CLI. Nothing is downloaded from unknown URLs or written to disk by an installer.
Credentials
Only WERYAI_API_KEY is required and declared as the primary credential; the script reads process.env.WERYAI_API_KEY and no other environment variables are referenced in the visible code. This is proportionate to calling a hosted API.
Persistence & Privilege
The skill is not always-enabled and uses normal invocation. It does not request persistent system-wide privileges, does not modify other skills' configs, and contains no indication it would persist credentials to disk (SKILL.md explicitly warns against writing the API key to files).
Assessment
This package appears coherent for the declared purpose, but because it performs face replacement you should consider privacy and consent risks before using. Only provide public HTTPS URLs for the source video and reference image, keep WERYAI_API_KEY secret and dedicated (do not reuse a broad-privilege key), and confirm you want a paid run before issuing submit/wait. If the skill's source is not from a trusted origin, inspect the full scripts folder for any extra CLI files (the SKILL.md warns some unrelated files may be present) and verify the script only talks to api.weryai.com. Finally, ensure you have permission from people depicted in the video before swapping faces.
scripts/video_face_change.js:147
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🙂 Clawdis
Binsnode
EnvWERYAI_API_KEY
Primary envWERYAI_API_KEY
latestvk974dy6j9yh1bvdyp70t4ztkf983h4c0
96downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
parallel world@zoucdr
latest
Download

WeryAI video tool — face change

This skill is self-contained: it documents and runs only the face-change workflow on an existing video given by URL. It is not text-to-video or image-to-video generation from scratch.

Entry script: scripts/video_face_change.js (alongside this SKILL.md).

Runtime: WERYAI_API_KEY, Node.js 18+.

Inputs: video_url and image_url must be public https:// URLs. This script does not read local files and does not perform upload-file flows.

What this package ships (verify before trust)

Canonical layout for this skill only:

  • SKILL.md, eval.yaml
  • scripts/video_face_change.js (the only runnable script in scope)

If your copy also contains scripts/video_gen.js, scripts/video_toolkits.js, references/WERYAI_VIDEO_API.md, or other CLIs, those files are not part of this skill’s contract — they may come from another repo sync or an over-broad install. Do not run them when you only want face-change; remove them or reinstall from a clean source. Inspect what you run: node scripts/video_face_change.js spec.

Other tools (multi-endpoint CLIs, local-file upload to growth/upload-file APIs, extra environment variables in those CLIs) are out of scope for this package. This skill’s script uses only WERYAI_API_KEY and public https:// URLs.

API surface (this tool only)

  • Required: video_url, image_url (public https:// URLs)

From this skill root, run node scripts/video_face_change.js spec to print the full tool schema (endpoint, required fields, defaults, enums) as JSON.

Pre-submit gate (mandatory)

Do not run submit / wait until the user explicitly confirms both URLs. Paid runs are not idempotent.

Workflow

Prefer --dry-run to validate JSON. Use wait to submit and poll until the task finishes; use submit only when the user wants a task_id without blocking, then status for later checks. Share final URLs as Markdown links [Video](https://…).

CLI

From this skill root:

node scripts/video_face_change.js wait \
  --json '{"video_url":"https://example.com/video.mp4","image_url":"https://example.com/face.jpg"}'

node scripts/video_face_change.js submit \
  --json '{"video_url":"https://example.com/video.mp4","image_url":"https://example.com/face.jpg"}'

node scripts/video_face_change.js status --task-id <task-id>

Dry-run:

node scripts/video_face_change.js wait \
  --json '{"video_url":"https://example.com/video.mp4","image_url":"https://example.com/face.jpg"}' \
  --dry-run

Security

Never write WERYAI_API_KEY into files. Keep only WERYAI_API_KEY set for this workflow; do not rely on undocumented env vars in sibling scripts if any were mistakenly present. The in-scope script reads only WERYAI_API_KEY (no other env keys). video_face_change.js accepts only https:// media URLs (no disk read / no upload-file). Base URL and poll intervals are constants in the script, not env-driven.

Do not pass local filesystem paths or run tools that accept them unless you have explicitly reviewed and consented to their upload behavior — that is never required for this skill.

Out of scope

  • Lip-sync–only workflows (different API surface)
  • Text-to-video or image-to-video from scratch

References

Comments

Loading comments...